Authenticating Users to UNIX Systems with Novell eDirectory and LDAP

Britt Courtney
Principal Architect
Novell Consulting
bcourtney@novell.com

Barry Fausnaugh
Principal Architect
Novell Consulting
bfausnaugh@novell.com

This AppNote describes a consulting project that was undertaken to allow users of UNIX systems running Sun Solaris to authenticate to Novell eDirectory via LDAP. It provides both design and implementation details that can be adapted for use in similar projects.

Contents:

Topics
Novell eDirectory, LDAP, UNIX, integration
Products
Novell eDirectory, Sun Solaris
Audience
network administrators, consultants, integrators
Level
intermediate
Prerequisite Skills
familiarity with Novell and UNIX environments and LDAP
Operating System
n/a
Tools
none
Sample Code
yes

Introduction

This AppNote describes a project that was undertaken to implement a solution to allow Solaris UNIX systems to consume user account and group information from Novell eDirectory using Lightweight Directory Access Protocol (LDAP).

By integrating the necessary Solaris user and group information with the corresponding user information in eDirectory, you create a single point of user and group management which can:

Implementing this solution involves three main steps: extending the eDirectory schema, implementing the LDAP PAM and NSS modules on the Solaris systems, and modifying the configuration files on the Solaris system.

This AppNote first details the design specifications in terms of the Solaris requirements and the eDirectory requirements. It then covers the actual implementation guidelines and procedures used to accomplish the project.

Solaris Design Specifications

The specific information which must be provided to the Solaris system by eDirectory for user authentication and authorization is the information that would ordinarily be maintained in the following files (assuming that traditional UNIX authentication is being used):

This is the same information that is maintained by NIS (Network Information Service).

Required Modules

Three modules are required on the Solaris system:

The PAM and NSS modules are public domain software maintained by PADL Software Company in Melbourne, Australia. PADL Software runs three Internet mailing lists which allow users of their software to support each other: nssldap@padl.com, pamldap@padl.com, and ldap-nis@padl.com. To subscribe to any of these mailing lists, send an e-mail to majordomo@padl .com with "subscribe listname" in the message body. PADL Software also offers fee-based support of these modules if required. PADL Software's Web site is at http://www.padl.com.

RFC 2307, entitled "An Approach for Using LDAP as a Network Information Service" (see http://www.ietf.org/rfc/rfc2307.txt), presents a directory schema that was authored by PADL and has been endorsed by all major UNIX vendors. It identifies the information contained in the /etc/passwd file as posixAccount information, information in the /etc/shadow file as shadowAccount information, and information in the /etc/group file as posixGroup information when working with the user and group information contained in eDirectory. RFC 2307 also covers a wide range of NIS/directory-related topics not discussed in this AppNote.

PADL Software's pam_ldap.  The version of the pam_ldap module provided in this solution is pam-ldap-124. This module was downloaded from PADL Software's Web site and compiled using gcc-2.95.3. This module must be installed in the /usr/lib/security directory.

Note:
If you want to update to a newer version of this module after it is installed, you will need to download the latest version from PADL Software's Web site and then compile and install the new module.

Solaris 8 comes with a preinstalled LDAP library module. However, the pam_ldap module would not compile properly using the preinstalled LDAP libraries. It was for this reason that Netscape's LDAP libraries were used. In order to make the pam_ldap module link to the Netscape library, it was necessary to disable the preinstalled Solaris LDAP library. This was accomplished by moving the libldap.so.4 file from the /etc directory to /tmp until the module was compiled. Once the module was compiled, the library was returned to its original location.

It is important to note that, for this project, the modules were compiled and delivered to the client in binary form; they were not compiled on the client's system. However, it should be easy for the client to recompile or update modules in the future by following the documentation that comes with pam-ldap-124 from PADL Software and using gcc-2.95.3 with the Netscape LDAP library.

PADL Software's nss_ldap.  The version of the nss_ldap module provided in this solution is nss-ldap-170. This module was downloaded from PADL Software's Web site and compiled using gcc-2.95.3. This module must be installed in the /usr/lib directory.

As with the pam_ldap module, it was necessary to disable the preinstalled LDAP library on Solaris 8 to compile this module.

Netscape's libldapssl40.  This module provides the necessary LDAP libraries for the pam_ldap and nss_ldap modules to interface with eDirectory via LDAP. The libldapssl40.so file is required on every system where these modules are installed. It must be installed in the /usr/lib directory.

The module comes precompiled from Netscape's developer Web site at http://developer.netscape.com. It is included in the Directory SDK download. Also in the Directory SDK are the include files (ending in .h) which must be copied to the /usr/include directory (or another location where you normally put supplemental libraries) if the pam_ldap and nss_ldap modules are to be compiled on a particular system. If you use a location other than /usr/include, you will need to include the appropriate settings for the additional directory when compiling the modules. The include files are only required on systems where the modules are being compiled. (Newer versions of this module are available from Sun's iPlanet Web site at http://www.iplanet.com.)

Other Required Files

Many UNIX systems use a configurable, module-based system for authentication, authorization, session management, and password management. This architecture is known as PAM or Pluggable Authentication Modules. PAM functionality is available on systems running Solaris 2.6 and later.

The pam.conf File.  PAM is configured by editing a file called pam.conf in the /etc directory. An entry in this file defines which services (telnet, ftp, rlogin, and so on) are serviced by which authentication systems (traditional UNIX authentication, LDAP, smart cards, and so on). Modules for the same service can be stacked. Depending on how the modules are stacked and configured, multiple services may be used by the same authentication module.

Each entry in the pam.conf file has four required fields and an optional field.

The first field defines the service to which the entry applies.

The second field defines which of four types of activity the entry applies to:

The third field is called the control flag, which determines how the particular activity uses the PAM module specified in the fourth field. The values of the control flag can be:

The fourth field specifies the full path to the PAM module to be used.

The fifth field is optional and may contain one of several values. For purposes of this AppNote, we will focus on two of those values: "try_first_pass" and "use_first_pass". Each of these values would be used when you have multiple entries in the pam.conf file for a specific service; they would be placed on the second or subsequent entry.

For each service configured in PAM, the modules are processed in the order they appear in the pam.conf file. (You can obtain additional information by reading the man pages on pam.conf.)

The following listing shows a sample pam.conf file set up to direct Telnet and FTP authentications to LDAP, as well as traditional UNIX authentication if LDAP authentication fails. The file is also set up to include account authorization and password management via LDAP and then files if the LDAP module fails.

#
#ident    "@(#)pam.conf    1.15                  00/02/14 SMI"
#
# Copyright (c) 1996-1999 by Sun Microsystems, Inc.
# All rights reserved.
#
# PAM configuration
# Authentication management
#
login      auth required          /usr/lib/security/$ISA/pam_unix.so.1 
login      auth required          /usr/lib/security/$ISA/pam_dial_auth.so.1 
#
rlogin     auth sufficient        /usr/lib/security/$ISA/pam_rhosts_auth.so.1
rlogin     auth required          /usr/lib/security/$ISA/pam_unix.so.1
#
dtlogin    auth required          /usr/lib/security/$ISA/pam_unix.so.1
#
telnet     auth sufficient        /usr/lib/security/pam_unix.so.1
telnet     auth required          /usr/lib/security/pam_ldap.so.1 use_first_pass
#

ftp        auth sufficient        /usr/lib/security/pam_unix.so.1
ftp        auth required          /usr/lib/security/pam_ldap.so.1 use_first_pass
#
rsh        auth required          /usr/lib/security/$ISA/pam_rhosts_auth.so.1
other      auth required          /usr/lib/security/$ISA/pam_unix.so.1
#
# Account management
#
login      account requisite      /usr/lib/security/$ISA/pam_roles.so.1 
login      account required       /usr/lib/security/$ISA/pam_projects.so.1
login      account required       /usr/lib/security/$ISA/pam_unix.so.1 
#
dtlogin    account requisite      /usr/lib/security/$ISA/pam_roles.so.1 
dtlogin    account required       /usr/lib/security/$ISA/pam_projects.so.1
dtlogin    account required       /usr/lib/security/$ISA/pam_unix.so.1 
#
telnet     account sufficient     /usr/lib/security/pam_ldap.so.1
telnet     account required       /usr/lib/security/pam_unix.so.1
#
ftp        account sufficient     /usr/lib/security/pam_ldap.so.1
ftp        account required       /usr/lib/security/pam_unix.so.1
#
other      account requisite      /usr/lib/security/$ISA/pam_roles.so.1 
other      account required       /usr/lib/security/$ISA/pam_projects.so.1
other      account required       /usr/lib/security/$ISA/pam_unix.so.1 
#
# Session management
#
other      session required       /usr/lib/security/$ISA/pam_unix.so.1 
#
# Password management
#
other      password sufficient    /usr/lib/security/pam_ldap.so.1
other      password required      /usr/lib/security/pam_unix.so.1 
dtsession  auth required          /usr/lib/security/$ISA/pam_unix.so.1

The beauty of the PAM architecture is the ability for developers to write applications that use authentication schemes completely independent of the application. For example, the following listing shows the pam.conf file used on production Solaris servers configured to access Interwoven's TeamSite 5.0. (The TeamSite service entries are shown in boldface type.)

#
teamsite     auth sufficient        /usr/lib/security/pam_ldap.so.1
teamsite     auth required          /usr/lib/security/pam_unix.so.1 use_first_pass
#
teamsite     account sufficient     /usr/lib/security/pam_ldap.so.1
teamsite     account required       /usr/lib/security/pam_unix.so.1
#
# Password management
#
other        password sufficient    /usr/lib/security/pam_ldap.so.1
other        password required      /usr/lib/security/pam_unix.so.1 
dtsession auth required             /usr/lib/security/$ISA/pam_unix.so.1

The nsswitch.conf File.  The nsswitch.conf file, also located in the /etc directory, is used to configure which system will be used for shadow information (the shadow file) and password information (for authentication purposes). Each entry in the file consists of the name of the function and then a list of the modules to be referenced.

The sample nsswitch.conf file listed below is the one used on the production servers. The lines in boldface type show passwd and group access being directed to the local file system and LDAP.

#
# /etc/nsswitch.file:
#
# An example file that could be copied over to /etc/nsswitch.conf; it
# does not use any naming service.
#
# "hosts:" and "services:" in this file are used only if the
# /etc/netconfig file has a "-" for nametoaddr_libs of "inet" transports.
   
   
passwd:                 files ldap
group:                  files ldap
hosts:                  files dns
ipnodes:                files
networks:               files
protocols:              files
rpc:                    files
ethers:                 files
netmasks:               files   
bootparams:             files
publickey:              files
# At present there isn't a 'files' backend for netgroup;  the system will 
#   figure it out pretty quickly, and won't use netgroups at all.
netgroup:               files
automount:              files
aliases:                files
services:               files
sendmailvars:           files
printers:            user files

The ldap.conf File.  The ldap.conf file is used to configure LDAP-specific information for the pam_ldap.so and nss_ldap.so modules. The following entries are the minimum required in this file to provide SSL-encrypted communication and group level authorization to systems with eDirectory:

If it is desired to authenticate as a specific user when retrieving user information instead of performing an anonymous bind, the following parameters must be set (it takes more computing resources to perform an authenticated bind than an anonymous bind):

The following listing shows the ldap.conf file used on the production servers for this project, including options other than those listed above to show what is delivered in a full distribution of the LDAP PAM modules.

# @(#)$Id: ldap.conf,v 1.20 2001/08/22 09:53:12 lukeh Exp $
#
# This is the configuration file for the LDAP nameservice
# switch library and the LDAP PAM module.
#
# PADL Software
# http://www.padl.com
#
   
# Your LDAP server. Must be resolvable without using LDAP.
host 127.0.0.1
   
# The distinguished name of the search base.
base o=company
   
# Another way to specify your LDAP server is to provide an uri with the server
# name. This allows use of Unix Domain Sockets to connect to a local LDAP Server.
#uri ldap://127.0.0.1/
#uri ldaps://127.0.0.1/   
#uri ldapi://%2fvar%2frun%2fldapi_sock/
# Note: %2f encodes the '/' used as directory separator
   
# The LDAP version to use (defaults to 3 if supported by client library)
#ldap_version 3
   
# The distinguished name to bind to the server with.
# Optional: default is to bind anonymously.
binddn cn=admin,o=company
   
   
# The credentials to bind with. 
# Optional: default is no credential.
bindpw password
   
# The distinguished name to bind to the server with if the effective user ID
# is root. Password is stored in /etc/ldap.secret (mode 600)
#rootbinddn cn=manager,dc=padl,dc=com
   
# The port.
# Optional: default is 389.
#port 389
   
# The search scope.
scope sub
#scope one
#scope base
   
# Search timelimit
#timelimit 30
   
# Bind timelimit
# If using Netscape SDK 4.x, this is used to set the TCP connection timeout
# as well as the bind timelimit.
#bind_timelimit 30
   
# Filter to AND with uid=%s
pam_filter host=serverA
   
# The user ID attribute (defaults to uid)
#pam_login_attribute uid
   
# Search the root DSE for the password policy (works
# with Netscape Directory Server)
#pam_lookup_policy yes
   
# Group to enforce membership of
#pam_groupdn cn=solaris,o=admin
   
# Group member attribute
pam_member_attribute member
   
# Template login attribute, default template user (can be overriden by value
# of former attribute in user's entry)
#pam_login_attribute userPrincipalName
#pam_template_login_attribute uid
#pam_template_login nobody
   
# HEADS UP: the pam_crypt, pam_nds_passwd, and pam_ad_passwd options
# are no longer supported.
   
# Do not hash the password at all; presume the directory server will do it,
# if necessary. This is the default.
#pam_password clear
   
# Hash password locally; required for University of Michigan LDAP server,
# and works with Netscape Directory Server if you're using the UNIX-Crypt
# hash mechanism and not using the NT Synchronization service.
#pam_password crypt
   
# Remove old password first, then update in cleartext. Necessary for use
# with Novell Directory Services (NDS)
pam_password nds
   
# Update Active Directory password, by creating Unicode password and
# updating unicodePwd attribute.
#pam_password ad
   
# Use the OpenLDAP password change extended operation to update the password.
#pam_password exop
   
# Netscape SDK LDAPS
ssl on
# Netscape SDK SSL options
sslpath /etc/ssl/certs/cert7.db
   
# OpenLDAP SSL mechanism
# start_tls mechanism uses the normal LDAP port, LDAPS typically 636
#ssl start_tls
#ssl on
   
# OpenLDAP SSL options
# Require and verify server certificate (yes/no)
# Default is "no"
#tls_checkpeer yes
   
# CA certificates for server certificate verification
# At least one of these are required if tls_checkpeer is "yes"
#tls_cacertfile /etc/ssl/ca.cert
#tls_cacertdir /etc/ssl/certs
   
# SSL cipher suite
# See man ciphers for syntax
#tls_ciphers TLSv1
   
# Client sertificate and key
# Use these, if your server requires client authentication.
#tls_cert
#tls_key

eDirectory Requirements

To provide the information necessary for each of the Solaris modules to properly set up and maintain a user session, the eDirectory schema must be extended.

Required Object Classes and Attributes

The following LDAP Object Classes are required. The names for all four object classes are the same in LDAP as in eDirectory. Each object class should be created as an auxiliary class in the eDirectory schema:

The following LDAP attributes are associated with the posixAccount object class:

The following attributes are associated with the posixAccount object class. These attributes already exist and are associated with a User object in eDirectory when it is created:

The following attributes are associated with the shadowAccount object class (there are no required attributes of this object class). All of the attributes have the same name in LDAP as in eDirectory:

The following attributes are associated with the posixGroup object class:

The following attributes are associated with the Account object class described in RFC 1274:

The following listing is the LDIF file used to extend the production servers' eDirectory schema to support these RFC 2307 attributes.

# Attributes for RFC2307:posixAccount
   
dn: cn=schema
changetype: modify
add: attributetypes
attributeTypes:(  1.3.6.1.1.1.1.0 NAME 'uidNumber' DESC 'uidNumber'
SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE)
   
dn: cn=schema
changetype: modify
add: attributetypes
attributeTypes: (  1.3.6.1.1.1.1.4 NAME 'loginShell' DESC 'loginShell' 
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE)
   
dn: cn=schema
changetype: modify
add: attributetypes
attributeTypes: (  1.3.6.1.1.1.1.1 NAME 'gidNumber' DESC 'gidNumber' 
SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE)
   
dn: cn=schema
changetype: modify
add: attributetypes
attributeTypes: (  1.3.6.1.1.1.1.2 NAME 'gecos' DESC 'gecos' 
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE)
   
dn: cn=schema
changetype: modify
add: attributetypes
attributeTypes: (  1.3.6.1.1.1.1.3 NAME 'homeDirectory' DESC 'homeDirectory'
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE)
   
# Attributes for shadowAccount
   
dn: cn=schema
changetype: modify
add: attributetypes
attributeTypes: (  1.3.6.1.1.1.1.11 NAME 'shadowFlag' DESC 'shadowFlag' 
SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE)
   
dn: cn=schema
changetype: modify
add: attributetypes
attributeTypes: (  1.3.6.1.1.1.1.5 NAME 'shadowLastChange' DESC
'shadowLastChange' SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE)
   
dn: cn=schema
changetype: modify
add: attributetypes
attributeTypes: (  1.3.6.1.1.1.1.10 NAME 'shadowExpire' DESC 'shadowExpire'
SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE)
   
dn: cn=schema
changetype: modify
add: attributetypes
attributeTypes: (  1.3.6.1.1.1.1.9 NAME 'shadowInactive' DESC 'shadowInactive'
SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE)
   
dn: cn=schema
changetype: modify
add: attributetypes
attributeTypes: (  1.3.6.1.1.1.1.8 NAME 'shadowWarning' DESC 'shadowWarning'
SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE)
   
dn: cn=schema
changetype: modify
add: attributetypes
attributeTypes: (  1.3.6.1.1.1.1.7 NAME 'shadowMax' DESC 'shadowMax' 
SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE)
   
dn: cn=schema
changetype: modify
add: attributetypes
attributeTypes: (  1.3.6.1.1.1.1.6 NAME 'shadowMin' DESC 'shadowMin' 
SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE)
   
# Attributes for RFC1274:Account
   
dn: cn=schema
changetype: modify
add: attributetypes
attributeTypes: (  0.9.2342.19200300.100.1.9 NAME 'host' DESC 'host' 
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15

The following listing is the LDIF file used to extend the eDirectory schema to support the RFC 2307 object classes.

dn: cn=schema
changetype: modify
add: objectclasses
objectClasses: (0.9.2342.19200300.100.4.5 NAME 'account' DESC 'account'
AUXILIARY MAY host)
   
dn: cn=schema
changetype: modify
add: objectClasses
objectClasses: (1.3.6.1.1.1.2.0 NAME 'posixAccount' DESC 'posixAccount'
AUXILIARY MAY (uidNumber $ loginShell $ gecos $ gidNumber $ homeDirectory ))
   
dn: cn=schema
changetype: modify
add: objectClasses
objectClasses: (1.3.6.1.1.1.2.1 NAME 'shadowAccount' DESC 'shadowAccount'
AUXILIARY MAY (shadowLastChange $ shadowFlag $ shadowExpire $ shadowInactive $
shadowMax $ shadowMin $ shadowWarning ))

Note that before importing these attribute and object class LDIF files, you must delete two attribute mappings from the LDAP Group mappings tab:

From an LDAP perspective, uid and gid already exist since they are mapped to UID and GID in the native eDirectory schema. If these two mappings are not deleted, the schema extensions described above will fail.

Directory Trustee Settings

Since UNIX user account information will be stored in eDirectory, it may be desirable to protect that information from unwanted viewing by users who are not authorized to use the information. Typically, in a Solaris environment, a user must be authenticated to the system in order to view the account information for that system.

It is also necessary to make sure the pam_ldap and nss_ldap modules are able to retrieve the information they need to properly establish a user session. Some of this information must be available before the user has authenticated to the directory.

In order to meet both objectives, a special user account used exclusively for retrieving this information should be created in eDirectory. This account should be referenced using the binddn and bindpw parameters in the ldap.conf file. The ldap.conf file permissions should be set to 500. (700 is also acceptable if permanent write permission to this file is desired for the root user.)

This account should have the Browse right to the following attributes:

The rights of the special user account should be similar to the following ACL listing:

dn: o=company
acl: 32#subtree#cn=Server,o=Company#[All Attributes Rights]
acl: 16#subtree#cn=Server,o=Company#[Entry Rights]
acl: 0#subtree#cn=pamadmin,ou=DS-Services,o=Company#[All
Attributes Rights]
acl: 1#subtree#cn=pamadmin,ou=DS-Services,o=Company#[Entry Rights]
acl: 3#subtree#cn=pamadmin,ou=DS-Services,o=Company#gecos
acl: 3#subtree#cn=pamadmin,ou=DS-Services,o=Company#gidNumber
acl: 3#subtree#cn=pamadmin,ou=DS-Services,o=Company#host
acl: 3#subtree#cn=pamadmin,ou=DS-Services,o=Company#loginShell
acl: 3#subtree#cn=pamadmin,ou=DS-Services,o=Company#uidNumber
acl: 3#subtree#cn=pamadmin,ou=DS-Services,o=Company#shadowExpire
acl: 3#subtree#cn=pamadmin,ou=DS-Services,o=Company#shadowInactive
acl: 3#subtree#cn=pamadmin,ou=DS-Services,o=Company#shadowLastChange
acl: 3#subtree#cn=pamadmin,ou=DS-Services,o=Company#shadowMax
acl: 3#subtree#cn=pamadmin,ou=DS-Services,o=Company#shadowMin
acl: 3#subtree#cn=pamadmin,ou=DS-Services,o=Company#shadowWarning
acl: 3#subtree#cn=pamadmin,ou=DS-Services,o=Company#shadowFlag

Values in this syntax are encoded according to the following notation:

ndsAcl = privileges "#" scope "#" subjectname "#" protectedattrname

The privileges field is a number that represents the kind of access being granted. Performing a bitwise OR on the numbers that represent the desired access arrives at this number. The table below specifies the values:

Value Individual Attributes [Entry Rights]
1
Compare Attributes
Browse Entry
2
Read Attributes
Add Entry
4
Write, Add, Delete Attributes
Delete Entry
8
Add/Delete Self
Rename Entry
16
(none)
Supervisory
32
Supervisory
(none)

The scope field specifies whether or not the privileges are applied to the target entry (the entry containing the ACL) or the target and its subtree ("entry" or "subtree").

The subjectname either contains the distinguished name of the entry being granted the privileges, or one of these special values:

The protectedattrname field either names a specific attribute that the privileges are applied to, or it contains one of the following special values:

Using SSL

SSL is used to provide an encrypted communications channel between the Solaris server and the eDirectory server running LDAP. This does not provide communication encryption between the Solaris server and other clients (such as Telnet and FTP). For that functionality, it would be necessary to use secure versions of those clients or clients that provide similar functionality (such as SSH or Secure FTP). If SSL is not used, all communications between the Solaris servers and the eDirectory server (including passwords) will be cleartext.

In order to establish an SSL session, the Solaris server must have a copy of the LDAP server's Trusted Root. The Trusted Root must be stored in a file format used by the Netscape LDAP SSL library known as cert7.db format. This is also typically the name of the file used to actually store the key.

Instructions for installing an existing public key from an LDAP server into a cert7.db file and placing it on the Solaris server are included in the implementation section of this AppNote.

Using Filtered Replicas

If filtered replicas are used on the LDAP server(s) that are being access by the Solaris systems, the following object classes should have all attributes on the replica:

Other attributes may be present depending on the need of other applications, such as a TeamSite object class created to manage Interwoven's TeamSite 5.0 application.

Implementation Guidelines and Procedures

Much of the implementation process is automated through the use of the pre-built schema files. Procedures are identified below for extending the eDirectory schema, installing the modules on a Solaris system, and installing the cert7.db file with the necessary public key(s).

Extending the eDirectory Schema

The attributes previously identified as being part of the posixAccount object class should be extended into the eDirectory schema. This can be done via Novell's Import/Convert/Export (ICE) utility, ldapmodify, or any other LDAP v3- compliant LDIF processor.

Remember to delete the two LDAP:NDS attribute mappings as described above. Then input the attribute file and the object class file, in that order.

Once this is completed, set the directory trustee permissions as specified above for a special eDirectory access User object that will be used only for eDirectory access by the PAM LDAP modules.

Installing the Modules on Solaris

Installation of the necessary components on the Solaris system involves copying three files (pam_ldap.so, pam_nss.so, and libldapssl40.so) and modifying the three configuration files identified earlier in this AppNote (ldap.conf, pam.conf and nsswitch.conf).

Copy the pam_ldap.so module to /usr/lib/security and set up the permissions
as follows:

lrwxrwxrwx 1 root root     15 pam_ldap.so -> ./pam_ldap.so.1
-rwxr-xr-x 1 root sys 109128 pam_ldap.so.1

Copy the pam_nss.so module to /usr/lib and set up the permissions and symbolic links as follows:

lrwxrwxrwx 1 root bin     15 nss_ldap.so -> ./nss_ldap.so.1
-rwxr-xr-x 1 root bin 945144 nss_ldap.so.1

Copy the libldapssl40.so module to /usr/lib and set up the permissions as follows:

-rwxr-xr-x 1 root sys 1574000 libldapssl40.so

You can now configure the Solaris system as identified earlier to allow users to authenticate to the Solaris system using their eDirectory user credentials.

Configuring SSL with cert7.db

As mentioned earlier, the Netscape SSL library requires the Trusted Root to be stored in a cert7.db format. You will need two tools from Netscape that allow a Trusted Root certificate from the Novell PKI system to be converted into the cert7.db format. These tools are named KEYUTIL.EXE and CERTUTIL.EXE, and you can download them from http://developer.netscape.com.

Once you have obtained these two tools, follow these steps to complete the setup.

  1. Export the Trusted Root from the Novell CA via ConsoleOne. If a third-party digital certificate is being used, export the Trusted Root from the KMO object created to store the private key that is being used by the LDAP Server configuration object. Export the Trusted Root using the .der format.

  2. Run the KEYUTIL.EXE utility using the -N option. This will create a new, empty keystore.

  3. Run the CERTUTIL.EXE utility using the -N option. This will create a new, empty certificate store.

  4. Run CERTUTIL.EXE with the following options:

  1. Copy the newly-created cert7.db file to the /etc/ssl/certs directory on the Solaris server. The system can now be configured to access eDirectory via an SSL encrypted connection.

  2. Edit the ldap.conf file and change the following lines as indicated:

The system should now be able to communicate via SSL with eDirectory.

Conclusion

This AppNote has discussed the design and implementation details of a project undertaken to allow users of UNIX systems to consume user account and group information from eDirectory using LDAP.

Copyright ©2002 by Novell, Inc. All rights reserved. No part of this document may be reproduced or transmitted in any form or by any means, electronic or mechanical, including photocopying and recording, for any purpose without the express written permission of Novell.

All product names mentioned are trademarks of their respective companies or distributors.